1. Field of the Invention
The present invention relates generally to computer network attacks, and more particularly to identifying a geographic region in which an attack or probe originated.
2. Description of Related Art
A variety of attacks on computer networks have been documented. A source, a target, and a type characterized most attacks. Various security management systems have been developed to assist in the recognition of attacks, e.g., the identification of the type of attack. Typically, log data from firewalls and intrusion detection systems (IDSs) was stored for subsequent analysis and use.
Sometimes before the log data was stored, attempts were made to correlate events in the log data to assist in identifying an attack, the start of an attack, or anomalous events that could indicate gathering of information for a subsequent different type of attack, for example.
Due to attackers using variable Internet Protocol (IP) addresses assigned from blocks allocated to Internet Service Providers (ISPs,) or using IP addresses that are cloaked behind known proxy servers, the IP source address may not serve as a valid identity of the potential attacker for the purposes of trend analysis, or search keys in security event databases. Thus, it is often difficult or impossible to obtain in useful information based upon the IP source address to identify the origin of an attack.